The General Data Protection Regulation (GDPR) is intended to give people greater control over their personal data and make companies accountable for data breaches, and makes improvements for critical security and privacy concerns. For users to understand how their personal data is used, it's important they provide businesses with explicit and informed consent.
While some companies groan that the new security requirements are too complex, they’re actually quite simple.
First, several security platforms not only help companies protect their data, but also help check for compliance with security and privacy regulations. These can range from data security solutions, to compliance checking tools. Secondly, because the new security standards apply broadly across the EU, they will streamline security regulation for businesses in the long-term.
Importantly, the regulation helps keep tech giants in check, making it harder for them to abuse their users’ personal information. This is crucial in light of Facebook’s recent Cambridge Analytica scandal, in which personal data of 87 million users was leaked, and that has raised concerns regarding additional usage of this data by third parties.
Nonetheless, GDPR isn’t a perfect solution. Here’s why there’s still room for improvement:
GDPR or just plain ‘PR’?
Just like any law, GDPR isn’t watertight. Tech giants could very well find loopholes that help them avoid making significant changes. If this is the case, GDPR could backfire and end up as little more than good PR for companies that aren’t actually making real security improvements.
GDPR compliance could paint companies in a better light than they really deserve, blinding unsuspecting consumers to instances where privacy and security measures are weaker.
Behavioral data: a grey area
While GDPR regulates the abuse of personal data such as demographic information, credit card numbers, and IP addresses, it still ignores behavioral data, which is a direct window into personal information.
Even when consumers don’t directly hand over their information, their personal information is quite easy to obtain based on inferences taken from their online behavior. For example, a company could make inferences based on a person’s gender, age group, ethnic identity, and more, based on the websites they visit or their social media behavior. Indeed, much of today's marketing software are designed specifically for this purpose.
Because of this potential loophole, social media platforms, which have an upper hand in their access to a wide range of consumer interests and activity, may require additional regulation than is currently required of them under GDPR.
The myth of user responsibility
Some companies are meeting GDPR compliance by giving consumers the option to share less. But problematically, this presupposes that users, and not companies, are the ones responsible for their data.
This is one area where GDPR might fail to keep big companies in check. Often, consumers aren’t aware of just how much their data is collected and used, and most of them won’t take the time to sort through the hundreds of new privacy policy emails and then adjust their privacy settings accordingly.
While most companies try to creatively engage consumers in their privacy policy updates, most consumers, overwhelmed by the deluge of new information, aren’t likely to read or comprehend the revised policy of each and every site or app.
As it stands, many companies, like Facebook, require consumers to “opt out” of personal data collection if they don’t want to share their information. But businesses need to make consumer security something that’s built-in, rather than something that exclusively benefits users who are already in the know.
If anything, the default should be that consumers are already opted out, with the option to “opt in.”
Security concerns on the production end
As with tech companies, manufacturers, and not individual consumers, should be responsible for ensuring personal security.
GDPR fails to regulate smart devices, which gather hoards of personal and behavioral data about their consumers. While it does regulate companies that make use of this data, it doesn’t take preventative measures against the manufacturers themselves.
Smart and IoT devices shouldn’t rely on the consent of (often unsuspecting) users when it comes to personal data collection and security. Instead, they should be required to implement built-in protections in their devices that can help protect against hacking and data breaches.
Setting the stage for improved data protection
For the most part, GDPR is a step in the right direction for securing user privacy in an era of widespread information sharing. Importantly, it also signifies public and legal recognition of security risk and privacy infringement.
Between its ambiguous stance on behavioral data to its implicit emphasis on user responsibility, there’s much work to be done. Hopefully, GDPR is just the first of many such regulations, one that sets a global precedent for improved privacy protection in the future.